Iranian hackers have searched cybercriminal websites for sensitive data stolen from American and foreign organizations that could be useful in future efforts to hack those organizations, the FBI said in an advisory sent to US companies obtained by CNN.
The Iranian hackers have taken an interest in dark-web forums, where scammers leak information on their victims such as stolen emails and network configurations, according to the November 8 advisory. The FBI is concerned that the Iranian hacking group could use that information to plot ways into US corporate networks in the future.
Organizations at risk are advised to take mitigation measures to block hacking attempts by securing Remote Desktop Protocol (RDP) servers, Web Application Firewalls, and Kentico CMS installations targeted by this adversary, said Bleeping Computer, a cybersecurity news outlet, which was the first to report on the FBI analysis.
"Among the Tactics, Techniques, and Procedures (TTPs) used in attacks by this threat actor since May 2021, the FBI mentions the use of auto-exploiter tools used to compromise WordPress sites to deploy web shells, breaching RDP servers and using them to maintain access to victims' networks."
It is unclear which Iranian hacking group is behind the activity. The FBI did not identify the hackers by name or say if they are linked to the Iranian government.
Adam Meyers, senior vice president of intelligence at security firm CrowdStrike, told CNN that Iranian government-linked hackers have increasingly dabbled in cybercriminal activity, such as ransomware, as a means of blurring the lines between state and non-state cyber operations.
"It is well within (Iranian groups') modus operandi to purchase access to networks held by a criminal group if it serves their interests," he added.
An unnamed Iranian hacking group used similar tools to steal voter registration data from state election sites between September and October 2020, Bleeping Computer.
"That voter info was later used to impersonate the far-right Proud Boys organization and send threatening emails to Democratic voters warning that they must vote for Trump or face the consequences."
"The FBI's Cyber Division also warned in a private industry notification issued last week that ransomware gangs have compromised the networks of several tribal-owned casinos, taking down their servers and disabling connected systems."
"The same week, the federal agency also alerted the public that criminals are increasingly using cryptocurrency ATMs and QR codes for fraud, making it harder for law enforcement to recover the victims' financial losses."